The embodiments of the invention in which an exclusive property or privilege is 
claimed are defined as follows: 

1 . In a computer system having an operating environment including user mode 
modules having a first level of protection and kernel mode modules having a second level of 
protection, a method for consistently collecting information associated with the execution of 
a user mode module, the method comprising: 

transmitting, by a requestor application, a request to collect kernel mode module 
information, wherein the request to collect kernel mode module information includes an 
identification of one or more process threads from which kernel mode information will be 
collected; 

obtaining, by a kernel mode module, the request to collect kernel mode module 
information; 

capturing, by the kernel mode module, information corresponding to each thread 
identified in the request to collect kernel mode module information; 

transmitting, by the kernel mode module, a result of the capturing of the information 
corresponding to each thread identified in the request to collect kernel mode module 
information; and 

receiving, by the requestor application, the result of the capturing of the information 
corresponding to each thread identified in the request to collect kernel mode module 
information. 

2. The method as recited in Claim 1, wherein the request to capture kernel mode 
module information includes an identification of a pre-allocated memory in which to store 
captured kernel mode information. 

3. The method as recited in Claim 1, wherein the kernel mode module is a driver 
application external to the operating system. 

4. The method as recited in Claim 1, wherein the kernel mode module is a an 
operating system resident application. 
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5. The method as recited in Claim 1 further comprising capturing, by the kernel 
mode module, a list of all loaded drivers. 



6. The method as recited in Claim 1, wherein capturing information 
corresponding to each thread identified in the request to collect kernel mode module 
information includes: 

(a) capturing a thread kernel stack; and 

(b) capturing all pending I/O request packet information; and 

(c) repeating (a) - (b) for each identified thread in the request to capture kernel 
mode module information. 

7. The method as recited in Claim 6, wherein capturing all pending I/O request 
packet information includes: 

(a) capturing an identification of all pending I/O request packets; 

(b) capturing current stack location for the identified I/O requests; 

(c) capturing device object information; 

(d) capturing file object information; 

(e) capturing driver object information; and 

(f) repeating (a) - (e) for each I/O request packet corresponding to a current 

thread. 

8. The method as recited in Claim 6, wherein capturing information 
corresponding to each thread identified in the request to collect kernel mode module 
information is asynchronous. 

9. The method as recited in Claim 1, wherein transmitting a result includes 
transmitting a status code corresponding to the success or failure of the information capture. 

10. The method as recited in Claim 1, wherein transmitting a result includes 
storing the captured kernel mode module information in an allocated memory. 
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11. The method as recited in Claim 1, wherein transmitting a request to collect 
kernel mode module information occurs in response to a user mode module error. 

12. A computer-readable medium having computer-executable instructions for 
performing the method recited in Claim 1 . 

13. A computer system having a processor, a memory and an operating 
environment, the computer system for performing the method recited in Claim 1 . 

14. In a computer system having an operating environment including user mode 
modules having a first level of protection and kernel mode modules having a second level of 
protection, a method for consistently collecting information associated with the execution of 
a user mode module, the method comprising: 

obtaining a user mode module request to collect kernel mode module information 
including an identification of one or more process threads from which kernel mode 
information will be collected; 

capturing information corresponding to each thread identified in the request to collect 
kernel mode module information; and 

transmitting the captured kernel mode module information. 

15. The method as recited in Claim 14, wherein the request to capture kernel 
mode module information includes an identification of a pre-allocated memory in which to 
store captured kernel mode information. 

16. The method as recited in Claim 14, wherein obtaining a user mode module 
request includes obtaining, by a driver application external to the operating system, the user 
mode module request. 

17. The method as recited in Claim 14, wherein obtaining a user mode module 
request includes obtaining, by an operating system resident application, the user mode 
module request. 
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18. The method as recited in Claim 14 further comprising capturing a list of all 
loaded drivers. 



19. The method as recited in Claim 14, wherein capturing information 
corresponding to each thread identified in the request to collect kernel mode module 
information includes: 

(a) capturing a thread kernel stack; and 

(b) capturing all pending I/O request packet information; and 

(c) repeating (a) - (b) for each identified thread in the request to capture kernel 
mode module information. 

20. The method as recited in Claim 19, wherein capturing all pending I/O request 
packet information includes: 

(a) capturing an identification of all pending I/O request packets; 

(b) capturing current stack location for the identified I/O request; 

(c) capturing device object information; 

(d) capturing file object information; 

(e) capturing driver object information; and 

(f) repeating (a) - (e) for each I/O request packet corresponding to a current 

thread. 

21. The method as recited in Claim 19, wherein capturing information 
corresponding to each thread identified in the request to collect kernel mode module 
information is asynchronous. 

22. The method as recited in Claim 1, wherein transmitting the captured kernel 
mode module information includes transmitting a status code corresponding to the success or 
failure of the information capture. 

23. A computer-readable medium having computer-executable instructions for 
performing the method recited in Claim 14. 
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24. A computer system having a processor, a memory and an operating 
environment, the computer system for performing the method recited in Claim 14. 

25. In a computer system having an operating environment including user mode 
modules having a first level of protection and kernel mode applications having a second level 
of protection, a software architecture for consistently collecting information associated with 
the execution of a user mode module, the architecture comprising: 

a processing component for capturing kernel mode module information 
corresponding to one or more processing threads identified in a request to collect kernel 
mode module information; and 

at least one application program interface for accessing the processing component 
and identifying the one or more processing threads from which to collect kernel mode 
module information. 

26. The architecture as recited in Claim 25, wherein the at least one application 
program interface is further operable to identify a pre-allocated memory to received captured 
kernel mode module information. 

27. The architecture as recited in Claim 25, wherein the processing component is 
embodied as a driver application. 

28. The architecture as recited in Claim 25, wherein the processing component is 
embodied as an operating system resident application. 

29. The architecture as recited in Claim 25, wherein the kernel mode module 
information includes a list of all loaded drivers. 

30. The architecture as recited in Claim 25, wherein the kernel mode module 
information includes a thread kernel stack and all pending I/O request packet information for 
each identified process thread. 
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31. The architecture as recited in Claim 25, wherein all pending I/O request 
packet information includes an identification of the pending I/O request packet, a current 
stack location, device object information, file object information and driver object 
information for each identified I/O request packet corresponding to an identified process 
thread. 

32. The architecture as recited in Claim 25, wherein the process component 
captures the kernel mode module information asynchronously. 
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